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1. Introduction and background 


1,1 


On 10 January 2017, the European Commission 
issued a proposal for a new ePrivacy Regulation 
(ePR)' triggering a legislative process that is 
still ongoing. The proposed ePR was intended 
to replace the existing ePrivacy Directive 
2002/58.? As well as updating the current 
ePrivacy framework in the EU, the Commission 
has qualified the proposal as lex specialis to 
the General Data Protection Regulation 
2016/679 (GDPR), which it is designed to 
“complement and particularise.”3 With this in 
mind, the original aim had been for the 
proposed ePR to become enforceable on 25 
May 2018 (at the same time as GDPR). 


Following the publication of the proposed 
ePR, the European Parliament adopted its 
report* with the mandate for entering into 
inter-institutional negotiations in October 
2017. However, the Council of the European 
Union has not yet been able to agree its 
position. The Council has been seeking better 
alignment of the proposed ePR with the 
GDPR and to find solutions on many open 
questions. After two and a half years of 
negotiations, it remains uncertain whether 
a Common Approach can be reached. 


1.3 


1.4 


During the nearly three years since the proposed 
ePR was issued, many amendments have 
been suggested and debated in the Council 
with a view to solving the concerns raised by 
Member States. These amendments have 
sought to achieve the right balance between 
the need for technological innovation, public 
security and the protection of privacy in the 
context of the digital economy. The structure 
of the proposed ePR and the way in which it 
was originally construed, however, have made 
a suitable way forward difficult to find. 


This study aims to provide a critical evaluation 
of the proposed ePR. It is by no means an 
exhaustive analysis but looks at some of the 
aspects that have proven to be in conflict with 
the approach of the GDPR and the various 
objectives behind the proposal.? This study 
also aims to formulate some essential public 
policy suggestions for a new text which 
supports the objectives of the proposed 

ePR in a more pragmatic and feasible way, 
avoiding the legal uncertainty created by some 
foundational elements of the current proposal. 
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3.2 To summarise, the proposed ePR seeks to 
provide for the confidentiality of electronic 


4. Critical analysis of the current 


proposal for an ePrivacy regulation 


the two categories of information 
“collected from” and “emitted by” 
terminal equipment). Different sets 

of legal bases (for a total of 22) and 
conditions are set out separately for 
each category of data. New consent 
requirements compared to the ePrivacy 
Directive are set out for the processing 
of content and metadata by service 
providers. Separate rules and conditions 
are also set out for the compatible 
processing of metadata and for detection 
of child sexual abuse material. 


e Chapter III sets out specific obligations 
for number-based interpersonal 
communications services, traditionally 
applicable to telecoms operators, 
concerning calling line identification, 
the prevention of unwanted calls and 
publicly available directories. 


duty to cooperate between the competent 
authorities not subject to the GDPR’s 
consistency mechanism.* 


Chapter V provides for remedies, 
liability and penalties. It sets out 
administrative fines for infringements 
of specific provisions up to 4% of total 
worldwide annual turnover, which can 
apply concurrently to GDPR penalties.’ 


Chapters VI and VII set out the rules 
for the adoption of delegated acts, 
where the Commission will be assisted 
by the Communications Committee, 
responsible for the European Electronic 
Communications Code (EECC), as 
opposed to the Committee responsible 
for the GDPR.*° 


communications data and terminal 
equipment data by defining specific and 
limited situations in which processing of such 
data is permitted. 


(A) Overview of the Pro posed ePR It also sets out rules preventing 3.3 For the purposes of this analysis, the key 
. direct marketing by any individual or focus is on the provisions dealing with 
31 es Ser nn nn e ales y Ciapteis organisation unless the end-user has electronic communications data and terminal 
? i 5 i consented or when such communications equipment, as these provisions are at the core 
e Chapter I sets out the material and happen in the context of a purchase of a of the current legislative debate and present 
territorial scope of the proposed ePR and product or a service. the greatest challenge to meet the proposal’s 
defines various terms used. While definitions aa policy aim. 
are borrowed from the GDPR and the a ee y 
span este Conan along for Member States to designate one (B) Analysis of the proposed ePR's 
Code (EECC),° they are expanded to or more competent authority for the electronic communications data 
include “ancillary features” under the ep s enforcement ~ which cm include provisions 
wi cc en not only Data Protection Authorities ; 
definition of “interpersonal communications (DPAs), who areresponsibletorthe 3.4 The proposed ePR’s Explanatory 
service” as well as non-personal data GDPR bii also National Resulätory Memorandum makes it clear that the 
under the definition of “processing.” oe : proposal is intended to build upon and 
Authorities (NRAs) responsible for a , 
f 1 lati h complement the existing structure of the EU’s 
e Chapter IT focuses on the protection of telecoms regulation. The European : 
i $ ne ‘ d . data protection and telecoms frameworks, 
EEE SIE na een ensuring that areas where there is a genuine 
comprising the two categories of content entrusted to “contribute to” the ePR’s oe & 
p 8 8 
: licati d legislative gap are adequately dealt with to 
data and metadata as well as rules on consistent application (as opposed to OO A 
storage and erasure) and the integrity of “ensure” in the original Commission P privacy. 
their terminal equipment (comprising proposal), establishing only a general 3.5 The confidentiality of electronic 


communications does indeed involve 
considerations which are not specifically 
addressed in the GDPR. Complementary 
provisions with respect to these processing 
activities may, therefore, be appropriate. 
However, the proposed ePR tackles 
confidentiality predominantly by replacing 
the legal bases for processing available 
under the GDPR with new sets of legal bases 
depending on the category of data at hand. 
This approach is narrow and causes tensions 
with key features of the GDPR, as further 
explained below. 


A uofeudes 


Complexity and inconsistency in the legitimacy 
of data uses 


3.6 The GDPR’s Article 6 allows for six lawful 


3-7 


grounds for data processing, all of which 
have equal status. This provides a pragmatic 
approach to the legitimacy of the processing 
of personal data. 


In contrast to this approach, the proposed 
ePR (Article 6, which the Council has split 
into six articles, from 6 to 6d) establishes 

a general prohibition to the processing of 
electronic communications data, except when 
permitted under one of its legal bases, which 
vary for electronic communications content 
and electronic communications metadata. 

In the original Commission proposal, such 
exceptions, depending on the type of data 

at hand, are essentially linked to: the mere 
transmission of communications (Article 6(1) 
(a)); network and service security (Article 6(1) 
(b)); service provision subject, in addition, to 
end-user consent (Article 6a(1)(a)); consent of 
the end-users involved in the communication 
for specific purposes (Articles 6a(1)(b) and 
6b(c)); network management/optimisation 
(Article 6b(a)); and billing (Article 6b(b)). 


3.8 The diverse use cases and types of data 


processing that could be covered as electronic 
communications data, going beyond the 
traditional use cases covered under the 
telecoms-related legal bases illustrated above, 
show that an approach that relies on a blanket 
prohibition qualified by limited exceptions is 
likely to lead to unwanted effects. 


3.9 The resulting framework covering the 


general confidentiality of communications 
has grown in complexity, as the legislators 
sought ways to avoid situations where specific 
desirable use cases could be identified but 
could not be accommodated under one of 
the originally proposed legal bases. This has 
included taking into account: expanding the 
scope of Article 6(1)(a) beyond transmission 
to cover service provision as a whole; 
improving device security (Article 6(1)(c)) as 
opposed to the sole security of networks and 
services; compliance with a legal obligation 
(Article 6(1)(d)); traffic management and 
optimisation (Article 6b(a)) as opposed to 
mandatory quality of service; the protection 
of vital interests (Article 6b(d)), statistical 
purposes and scientific research (Article 
6b(f)); compatible purposes (limited to 
metadata under Article 6c, which in addition 
to restating those contained in the GDPR lists 
another five conditions); and the detection 
of child abuse material (with specific rules 
contained in Article 6d). 
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3.10 The narrow scope allowed by the proposed 


fer 


exceptions does not allow for nuance in 

the array of processing activities which fall 
within the scope of the proposed ePR and 
undermines the complexity of electronic 
communications. This is a clear handicap 

for a piece of legislation that relates to 

a constantly evolving sector. As well as 
potentially damaging its long-term relevance 
and effectiveness, this creates an obvious 
conflict between the approach taken by the 
GDPR, which allows the lawful bases and 
legitimacy for processing to be interpreted in 
a context-specific manner, and the proposed 
ePR, which treats all in-scope processing 
activities as high-risk. 


This conflict is particularly evident in 

the context of evolving communications 

and digital technology. At present, the 
development of machine-to-machine (M2M) 
communications, Internet of Things (IoT) 
devices and services, and artificial intelligence 
(AI) relies on the ability to retrieve and 

use data which is likely to be regarded as 
electronic communications data under 

the proposed ePR." The use of AI, which 

is an essential part of the Commission’s 
strategy to digitise industry and society, is 
crucially dependent on access to electronic 
communications data.” 


3.12 As a result, the protection of electronic 


communications data should be achieved 
by ensuring that any additional layer of 
regulation applicable to it is compatible and 
consistent with the GDPR. The conditions 
for data processing set out in Article 6 of the 
GDPR for personal data and in Article 9 of 
the GDPR for special categories of personal 
data need not be undermined, as they provide 
a tried and tested ground for the use of 

data which is also suitable in the context of 
electronic communications. 


3.13 This is further reinforced by the relationship 


between Articles 7 and 8 of the Charter of 
Fundamental Rights of the European Union 
(the “Charter”). The Court of Justice of the 
European Union has repeatedly stated that 
the right to respect for private life (under 
Article 7 of the Charter) is closely connected 
with the right to the protection of personal 
data (under Article 8 of the Charter). 

This close relationship emphasises and 
demonstrates the fact that the protection of 
the right to respect for private life, which the 
proposal is specifically seeking to protect 
with regard to communications, needs to 

be compatible with the mechanisms of 
protection set out in the current framework 
dealing with the protection of personal data, 
and more specifically the GDPR. 


The loss of the GDPR’s risk-based approach 
3.14 As indicated in the GDPR’s recitals, risk in 


a data protection context is an objective 
assessment determined by considering the 
nature, scope, context and purposes of the 
processing.“ This creates flexibility and, by 
being context-specific, allows for the same 
legal framework to adapt and apply to a 
myriad of processing activities, situations 
and risks. 


3.15 A consideration of risk is enshrined 


throughout the GDPR and the word 
“risk” /“risks” can be seen in use in many of its 
key provisions, including most significantly: 


e Article 6(1)(f) enables organisations to 
process personal data based on their 
legitimate interest after conducting 
a risk-based assessment of how that 
processing will affect the rights and 
freedoms of individuals. 


e Articles 24 and 32 allow controllers 
and processors to implement technical 
and organisational measures to ensure 
compliance with the regulation and a 
level of security appropriate to the risk 
to individuals. 


e Articles 33 and 34 allow a controller to 
assess whether or not a breach is worthy 
of reporting to the relevant DPA and data 
subjects based on the level of risk posed 
to those data subjects. 


e Article 35 allows a controller to 
determine whether a data protection 
impact assessment is required for a 
particular processing activity depending 
on the risk to individuals. 


3.16 Given that the proposed ePR is intended to 


be read alongside the GDPR, some of these 
risk-based GDPR provisions will of course 
still apply to the processing of electronic 
communications data. Nonetheless, a 
fundamental component of such flexibility 
in the application of the law is missing in 
the proposed ePR, namely the ability to 
identify the most appropriate legal bases in 
a manner that is proportionate to the risks 
of the associated data processing. Again, this 
creates a dual and conflicting system in which 
standards for the protection of personal data 
are not consistently applied. 
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(C) Analysis of terminal equipment 
provisions 


3.17 Similarly to the situation regarding electronic 
communications data, the terminal equipment 
provisions in the proposed ePR, which include 
separate rules pertaining to information 
“collected from” (Article 8(1)) and “emitted 
by” (Article 8(2)) terminal equipment, are in 
conflict with the approach taken in the GDPR 
for the following principal reasons: 


e The complexity of the data uses covered. 


e The loss of the GDPR’s risk-based 
approach. 


We explain each of these points in more 
detail below. 


Complexity of data uses covered 


3.18 Article 8(1) of the proposed ePR is drafted 
widely, and includes “processing and storage 
capabilities of terminal equipment and the 
collection of information from end-users’ 
terminal equipment, including about its 
software and hardware.” This scope is wider 
than that currently covered by the ePrivacy 
Regulation (Article 5(3)), which is limited to 
“the storing of information, or the gaining 
of access to information already stored” in 
terminal equipment. Contrary to the current 
ePrivacy Directive, the proposed ePR does 
not only apply to the cookie use case, where 
data has to be stored on a device, but also 
to any information about such device. This 
is particularly noteworthy in the case of IoT 
devices as any processing of data for the 
resulting IoT service will be based on data 
about that device. 


3.19 As a consequence, the processing of a broad 


spectrum of information, including both 
personal and non-personal data, will be 
subsumed under the ePR’s provisions on 
terminal equipment, irrespective the actual 
impact of such processing on secrecy of 
communications and private life. Moreover, 
application of the ePR’s terminal equipment 
provisions is not bound by the definition 

of electronic communications service, 
which by contrast triggers the application 

of the electronic communications data 
provisions. This means that any digital 
service, even those not qualified as electronic 
communications services or information 
society services, will have to implement the 
ePR’s terminal equipment provisions. 


3.20 By way of non-exhaustive examples, M2M-, IoT- 


and Al-related areas that may be adversely 
affected by this include: 


e Research in e-health and the deployment 
of remote medical services; 


e Research and development of safety 
features in the automotive industry and, 
in particular, autonomous and self- 
driving vehicles; 


e Monitoring and running of essential 
services ranging from energy 
consumption and manufacturing 
processes to banking and transportation; 


e Cybersecurity generally; and 


e Research and development of new features 
and services generally, even based on 
pseudonymous or anonymous data. 


M2M-, loT- and Al-related areas that may be adversely affected include: 


0000 


Research in Autonomous and Monitoring and running 
e-health self-driving vehicles of essential services generally 


Research and 
development of 
new features 


Cybersecurity 


3.21 Similarly to the electronic communications 


data provisions, the proposed ePR tackles 
confidentiality predominantly by replacing 
the legal bases for processing available 
under the GDPR with new legal bases. It sets 
out a blanket prohibition to the processing 
of terminal equipment data followed by a 
narrow list of exceptions. These essentially 
relate to: the transmission of electronic 
communications or the establishment of a 
connection (Articles 8(1)(a) and 8(2)(a)); 
the end-user’s consent (Articles 8(1)(b) and 
8(2)(b)); service provision (Articles 8(1)(c) 
and 8(2)(d)), which is interpreted strictly;'* 
audience measuring limited to information 
society services or statistical counting 
(Articles 8(1)(d) and 8(2)(c)); security of 
information society services and terminal 
equipment (Article 8(1)(da)); software 
updates that are necessary for security 
reasons (Article 8(1)(e)); and determining 
location for emergency calls (Article 8(4)(f)). 


3.22 As we have observed in relation to electronic 


communications data, the narrow list of 
permitted processing activities concerning 
terminal equipment has grown compared to 
the original proposal from the Commission 
(11 in the latest text as opposed to 6) to 
allow specific uses that could be identified 
during the negotiations. Nevertheless, the list 
contained in the latest Council text remains 
narrow and undermines the complexity of 
the processing activities which fall within 
the scope of the proposed ePR’s terminal 
equipment provisions. 


The loss of the GDPR’s risk-based approach 
3.23 Misalignment with the GDPR is again 


particularly noticeable with respect to the 
form of risk-based assessment set out in the 
GDPR’s Article 6(1)(f). Processing on the 
basis of a controller’s legitimate interests 
under the GDPR is meant to help prevent 
overreliance on other legal bases, such as 
consent, under the right circumstances and 
subject to adequate safeguards.” 


3.24 The GDPR’s legitimate interest legal basis 


places an obligation on the controller to weigh 
whether the interests or fundamental rights 
and freedoms of the data subject override the 
controller’s legitimate interest. In instances 
where this “balancing test” shows that the 
processing is too invasive with respect to the 
data subject’s interests, Article 6(1)(f) cannot 
be invoked. 


3.25 Unlike processing under one of the GDPR’s 


other five grounds, which is considered a 
priori legitimate, Article 6(1)(f) requires a 
specific test to be carried out. The use of 
legitimate interest presents complementary 
safeguards requiring appropriate measures 
on the part of controllers and “aims at a 
balanced approach, which ensures the 
necessary flexibility for data controllers for 
situations where there is no undue impact 
on data subjects, while at the same time 
providing sufficient legal certainty and 
guarantees to data subjects that this 
open-ended provision will not be misused.”** 
This way, individuals’ rights are still 
protected, including their right to opt out 

of the processing at any time (Article 21 of 
the GDPR), but an element of flexibility 

is introduced. 


3.26 To ensure consistency with the GDPR and 


longevity of the new ePrivacy rules, similar 
determinations should be allowed through 
the use of balancing tests in relation to the 
protection of end-users’ terminal equipment. 
At present, processing that does not fall 
within Article 8’s narrow exceptions but 

is nonetheless not high-risk, intrusive or 
potentially harmful cannot rely on any legal 
basis in the proposed ePR apart from consent 
(Articles 8(1)(b) and 8(2)(b)). This creates 
an inherent tension with the need to “create 
more specific exceptions, to allow for the 
processing of data that causes little or no 
impact on the rights of users to secrecy of 
communications and private life.” 
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4. An alternative approach to 
regulating ePrivacy in the EU 


4.2 


4.3 


In a world where electronic communications 
and devices play an increasingly important role 
in everyday lives, personal data - including 
electronic communications and terminal 
equipment data — becomes increasingly 
valuable. A clear set of ePrivacy rules which 
protect the privacy of individuals in harmony 
with the GDPR is needed to ensure an 
appropriate balance between protection and 
beneficial types of data processing. 


Our analysis above has illustrated how the 
proposed ePR, in the Council version that has 
tried to accommodate this balance over the 
course of two and a half years of negotiations, 
fails to achieve a workable framework that 
can complement rather than contradict 
essential elements of the GDPR. 


In light of the critical analysis above and 
our findings in this respect, the following 
essential steps should be taken to improve 
the proposed ePR: 


e The text should move away from 
an approach that protects 
confidentiality predominantly, 
if not exclusively, by setting out 
specific legal bases for the processing 
of specific types of data. Such an 
approach would work if the scope of 
processing activities and the types of data 
covered were more limited. However, 
the proposed ePR’s scope includes many 
different types of processing operations 
— under this condition, as highlighted 
in our analysis, misalignment with the 
GDPR legal bases becomes more difficult 
to remedy by expanding the list of 
narrow exceptions. 


4.4 


+ The valuable risk-based approach 
of the GDPR should be applied to 
the ePrivacy framework. Crucially, this 
requires the introduction of a similar 
“balancing test” as that allowed 
under the GDPR’s Article 6(1)(f), which 
allows organisations to identify the most 
appropriate legal bases in a manner 
that is proportionate to the risks of the 
associated data processing. 


+ Data processing that poses no risks 
to individuals, such as data that is 
or is made anonymous, should be 
explicitly excluded from the ePR’s 
scope, which in line with the GDPR should 
only apply to personal data. This will be 
particularly important in an IoT context, 
where data relating to machines will lack 
any personal identifiers. 


In conclusion, while a balanced ePR 

should explicitly reinstate the principle of 
confidentiality of electronic communications, 
it should also acknowledge that this is 

not an absolute principle and that any 
interference with it should be justifiable in 
accordance with the existing data protection 
framework, aligned with Articles 7 and 8 of 
the Charter. Our recommendations stem 
from a basic analysis of the proposed ePR 

as originally put forward by the European 
Commission and subsequently modified in 
Council negotiations. Our analysis shows 
that improvements to the text are possible 
provided a reconsideration of the proposal’s 
core approach to regulating the legal bases for 
processing is undertaken. 
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